Yubico Forum

I've got a new NEO which i want to use as a smartcard for Bitlocker on windows 7 64bit. Following a Microsoft guide on certificate creation using certreq.exe i've tried to create a certificate with the following parameter file:

[NewRequest]
Subject = "CN=BitLocker"
KeyLength = 2048
ProviderName = "Microsoft Smart Card Key Storage Provider"
KeySpec = "AT_KEYEXCHANGE"
KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"
RequestType = Cert
SMIME = FALSE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.4.1.311.67.1.1

From here: https://technet.microsoft.com/en-us/library/dd875530(v=ws.10).aspx#BKMK_sscert

But when i do that, it prompts me to insert a smartcard, even though the NEO is plugged in, and the PIV manager can see it.
CCID is enabled on the NEO, Windows control panel shows the smart card reader installed as a "Microsoft Usbccid Smartcard Reader (WUDF)", and shows the smart card installed as an "identity Device (NIST SP 800-73 [PIV])", both of which as far as i can tell from reading documentation are correct.



But i get a prompt saying: "A smart card was detected but is not the one required for the current operation. The smart card you are using may be missing required driver software or a required certificate". This box shows the NEO as the reader and the correct identity device.

Am i missing something?


If i instead use the Yubikey PIV manager (1.0.2), click certificates, and click generate new key. Select a 2048bit self signed certificate, enter PIN and management key, it generates a new key in slot 91, and loads a self signed certificate. But if I then go to a bitlocker protected volume and try to use the smartcard, it says a certificate suitable for Bitlocker cannot be found on my smartcard.

Ive been through various guides, but cant find a solution.

Am i missing something?

Thanks.

After finding a guide on certificate creation for smartcards on a rival products website, and doing some experimentation, i discovered that I needed to add the following registry key to enable self-signed certificates:

HKLM\Software\Policies\Microsoft\FVE

And then added a new DWORD called “SelfSignedCertificates”, with a value of 1 to it.

Then, worked out I had to omit the following line from the request:

ProviderName = "Microsoft Smart Card Key Storage Provider"

By removing that line, when running "certreq -new certrequest.txt" at a command prompt, as well as signing the certificate, it allows it to be saved as a file instead of directly to the card. Then by accessing the MMC -> certificates snap in I can export the certificate as a .pfx, and import the certificate onto the NEO using the PIV manager.

The above method of enabling self-signed certificates doesn't work for Windows 10. How do I do this for Windows 10?

You could try getting a free S/MIME cert from StartSSL. They are not self-signed/globally trusted and maybe that is enough for bitlocker.

What are the exact steps in doing that? I tried getting a certificate from them (using the generated by myself option as the other option gave me an error) and it didn't work. Am I missing something?

I got a free S/MIME cert from Comodo, and it was all of ten minutes until I had encrypted mail set up on my macbook.

https://www.comodo.com/home/email-secur ... ficate.php

I'm still trying to figure out how to import it onto my Neo, though.

Any instructions for that?

Hi,

those StartSSL S/MIME certificates didn't work for Bitlocker for me. But you can indeed use self-signed certificates for Windows 10 by adding this DWORD "SelfSignedCertificates" to HKLM\Software\Policies\Microsoft\FVE. The value is originally not there, so simply add it, restart the PC and it should work. You can also use the PIV Manager GUI to create a certificate, it's easier than certreq.exe etc.

Cheers,
Gerhard

Hi again,

I did that with the PIV Manager GUI tool as well. Simply choose the right slot (as far as I can remember it is "Digital Signature") and hit "Import from file...", then choose the certificate and it should be stored onto the NEO.

Regards,
Gerhard

Since you seem to be using NEO in PIV mode, you need to fully initialize the token. has the capability to create CHUID and CCC data objects that must be present on a PIV card before software that expects PIV can work with it. The command would be something like


Please post here it that helped.

So much easier with the GUI utility! Thank you.

I'm disappointed that this isn't in the GUI PIV tool. Also, I'm not sure how to get the CLI tool to run. I'll fiddle with it, but if you have advice, I'd appreciate it.

Is there any software I'll need - Centrify Express or something like it - to pass the certificate on the Yubikey to Apple Mail?

Edit: When I go to the directory, and type in "yubico-piv-tool" I get the following:


When I drag the executable directly to the terminal window, I get this:


I've found it - from the PDF: